Istio in Practice – Routing with VirtualService

By : rinormaloku
This entry is part 4 of 12 in the series Istio around everything else
Istio around everything else
  1. Istio an introduction
  2. Getting started with Istio
  3. Istio in Practice – Ingress Gateway
  4. Istio in Practice – Routing with VirtualService
  5. Istio out of the box: Kiali, Grafana & Jaeger
  6. A/B Testing – DestinationRules in Practice
  7. Shadowing – VirtualServices in Practice
  8. Canary Deployments with Istio
  9. Timeouts, Retries and CircuitBreakers with Istio
  10. Authentication in Istio
  11. Authorization in Istio
  12. Istio series Summary

The VirtualService resource

The VirtualService instructs the Ingress Gateway how to route the requests that were allowed into the cluster.

Fig 1. Routes to be configured with VirtualServices

For our application requests coming through the http-gateway must be routed to the sa-frontend, sa-web-app and sa-feedback services (shown in figure 1).

Let’s break down the requests that should be routed to SA-Frontend:

  • Exact path / should be routed to SA-Frontend to get the Index.html
  • Prefix path /static/* should be routed to SA-Frontend to get any static files needed by the frontend, like Cascading Style Sheets and JavaScript files.
  • Paths matching the regex ^.*\.(ico|png|jpg)$ should be routed to SA-Frontend as it is an image, that the page needs to show.

This is achieved by the following configuration:

Additionally, important here are the following points:

  1. This VirtualService applies to requests coming through the http-gateway.
  2. Destination defines the service where the requests are routed.

Note: The configuration above is in the file sa-virtualservice-external.yaml, it contains the configuration to route to SA-WebApp and SA-Feedback but was shortened here for brevity.

Apply the VirtualService with the command below:

$ kubectl apply -f resource-manifests/istio/sa-virtualservice-external.yaml
virtualservice.networking.istio.io "sa-external-services" created

Note: When we apply this resource (and actually all Istio CRD resources) the Kubernetes API Server creates an event received by Istio’s Control Plane which then applies the new configuration to the envoys (istio proxies, sidecar proxies) of every pod. And the Ingress Gateway controller is another Envoy which is configured by the Control Plane, visually presented in figure 2.

Fig. 2. Istio Pilot updating Envoy Proxy to allow traffic

The Sentiment Analysis app is accessible on http:/{{EXTERNAL-IP}}/. If you get a Not Found status, do not worry sometimes it takes a couple of minutes for the configuration to go in effect and update the envoy caches.

Before moving into the next section generate some traffic needed to demonstrate what we get out of the box from Istio. It’s insane! Meet me in the next article!

 

Istio out of the box: Kiali, Grafana & Jaeger >>
If you enjoyed the article, please share and comment below!
  • Silvia Dominguez

    Congratulations for the tutorial, just one question, does it make sense to define a virtual service without specifying a gateway?
    regards

    • Rinor Maloku

      Yes it does 🙂

      • Silvia Dominguez

        Okay I’m asking you this because I read that traditionality , Kubernetes has used an Ingress controller to handle the traffic that enters the cluster from the outside. When using Istio, this is no longer the case. Istio has replaced the familiar Ingress resource with new Gateway and VirtualServices resources.
        So I understand by your answer that is correct use this without gateway but it’s not the normal way and also reads that gives a lot of problems.
        Thanks!!

        • Rinor Maloku

          Yeah, I really like your summary, It is possible to accept traffic through an Kubernetes Ingress Controller and that VirtualServices can be used for finer control when services are targeting each other.
          But the normal way would be to use Istio’s Ingress Gateway as it provides additional benefits (and would be the single source of truth for what is happening with your network traffic)

  • Steven Bryant

    Good coverage, but I would like to understand the host part of the route specification better since up to this point host really was not covered as a kubernetes concept. There should be a note as to what host is referring to. Why is host used in this manner? I am guessing because the virtual service could also be used for accessing resources outside a kb cluster?

  • Steven Bryant

    Do you happen to know how VirtualService would apply with grpc services? The docs on istio only cover http/tcp types. What about grpc over http2? What is available for this?

  • Shay

    Thank you for your selfless dedication. I wonder if you could show the source code of http-gateway service. As I wish to have a look about what you do in this service, authentication or something else?

  • Yuva Raj

    Thanks a lot for the tutorials. I am able to deploy the pods but when I try to access it in browser. Not able to access the static assets of the frontend app, getting 404 error in browser console. I just clone the istio-mastery repo and executing the commands as mentioned in tutorials. Appreciate your help to resolve this issue.

  • Aslam

    For react based FE, option ‘/’ needs to used as indicated by the article above. What if we want to use same DNS (Ingress) for many applications and path based routing is used as “/app1”, “/app2” etc rather then just “/”. Is it possible if the FE is based on React?